Configure the hash

Certification Authority configuration

One major problem with CAcert is that this CA is not recognised as trusted by (major) operating systems and (major) web browsers. That is why you get a red warning "This certificate was signed by an unknown authority" in the Keychain Access application.

You need to import and trust the CAcert root certificate. You can get CAcert root certificate from https://www.cacert.org/index.php?id=3. I fetched the root certificate in PEM format and saved it as root.cer.

The CAcert root certificate should be trusted and should not display any blue mark.

Bad:

Good:

User certificate validity

Check your certificate in the smartcard is now considered as valid (with no special blue mark on it):

The certificate must be valid for any user, not just yourself. A good way to check that is to verify the certificate is also valid from another user account. The certificate must be valid before the user is logged so must not have a special (trust) configuration for a particular user.

You can get more details by evaluating the certificate from Keychain Access application.

Control-click on the certificate

Select "Evaluate ..." from the popup menu

Click "Continue" in the next dialog box

Check the certificate status

Enjoy

You can now logout to go back to the login screen. After inserting your smartcard your user should be selected and the prompt should display "PIN code:" instead of the classic "Password:".

You may want to update your default keychain password to be the same as your PIN code so can access your saved password automatically after login using the smartcard.

Conclusion

Using a smartcard to login in macOS Sierra is easy to configure. But you have to take great care about the certificate chain between the CA and your certificate.

I used and described the legacy smart card authentication system. macOS Sierra introduced a new "smart card token" mechanism to replace tokend. That is for another blog article.

Releases

The CCID driver 1.4.25 was released September, 30th 2016. And the macOS Sierra 10.12.2 upgrade was released December 14, 2016 so 2.5 months later.

That is a good news to see Apple integrating new versions of the CCID driver in "minor" operating system upgrades. It was already the case with macOS El Capitan (see "OS X El Capitan and CCID evolution")

Next upgrade

The current CCID version is 1.4.26 from 7 January 2017. I expect to see this version in the next minor Sierra upgrade: 10.12.3.